linux/lib
Matthew Wilcox 0472f94cef idr: fix invalid ptr dereference on item delete
commit 7a4deea1aa upstream.

If the radix tree underlying the IDR happens to be full and we attempt
to remove an id which is larger than any id in the IDR, we will call
__radix_tree_delete() with an uninitialised 'slot' pointer, at which
point anything could happen.  This was easiest to hit with a single
entry at id 0 and attempting to remove a non-0 id, but it could have
happened with 64 entries and attempting to remove an id >= 64.

Roman said:

  The syzcaller test boils down to opening /dev/kvm, creating an
  eventfd, and calling a couple of KVM ioctls. None of this requires
  superuser. And the result is dereferencing an uninitialized pointer
  which is likely a crash. The specific path caught by syzbot is via
  KVM_HYPERV_EVENTD ioctl which is new in 4.17. But I guess there are
  other user-triggerable paths, so cc:stable is probably justified.

Matthew added:

  We have around 250 calls to idr_remove() in the kernel today. Many of
  them pass an ID which is embedded in the object they're removing, so
  they're safe. Picking a few likely candidates:

  drivers/firewire/core-cdev.c looks unsafe; the ID comes from an ioctl.
  drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c is similar
  drivers/atm/nicstar.c could be taken down by a handcrafted packet

Link: http://lkml.kernel.org/r/20180518175025.GD6361@bombadil.infradead.org
Fixes: 0a835c4f09 ("Reimplement IDR and IDA using the radix tree")
Reported-by: <syzbot+35666cba7f0a337e2e79@syzkaller.appspotmail.com>
Debugged-by: Roman Kagan <rkagan@virtuozzo.com>
Signed-off-by: Matthew Wilcox <mawilcox@microsoft.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2018-05-30 07:51:49 +02:00
..
842 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
fonts License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
lz4 lib/lz4: make arrays static const, reduces object code size 2017-10-03 17:54:25 -07:00
lzo License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mpi lib/mpi: Fix umul_ppmm() for MIPS64r6 2018-03-03 10:24:29 +01:00
raid6 License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
reed_solomon
xz
zlib_deflate zlib_deflate/deftree: remove bi_reverse() 2015-09-10 13:29:01 -07:00
zlib_inflate lib/zlib_inflate/inftrees.c: fix potential buffer overflow 2017-05-08 17:15:12 -07:00
zstd lib: Add zstd modules 2017-08-15 09:02:08 -07:00
.gitignore
argv_split.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
asn1_decoder.c ASN.1: check for error from ASN1_OP_END__ACT actions 2017-12-14 09:52:52 +01:00
assoc_array.c assoc_array: Fix a buggy node-splitting case 2017-10-28 10:31:07 -07:00
atomic64_test.c lib/atomic64_test.c: add a test that atomic64_inc_not_zero() returns an int 2017-07-14 15:05:13 -07:00
atomic64.c locking/atomic: Implement atomic{,64,_long}_fetch_{add,sub,and,andnot,or,xor}{,_relaxed,_acquire,_release}() 2016-06-16 10:48:32 +02:00
audit.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
bcd.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
bch.c
bitmap.c lib: fix stall in __bitmap_parselist() 2018-04-19 08:56:20 +02:00
bitrev.c
bsearch.c lib/bsearch.c: micro-optimize pivot position calculation 2017-07-10 16:32:35 -07:00
btree.c treewide: Remove old email address 2015-11-23 09:44:58 +01:00
bug.c lib/bug.c: exclude non-BUG/WARN exceptions from report_bug() 2018-03-15 10:54:32 +01:00
build_OID_registry
bust_spinlocks.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
chacha20.c random: replace non-blocking pool with a Chacha20-based CRNG 2016-07-03 00:57:23 -04:00
check_signature.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
checksum.c ipv4: Update parameters for csum_tcpudp_magic to their original types 2016-03-13 23:55:13 -04:00
clz_ctz.c
clz_tab.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
cmdline.c lib/cmdline.c: remove meaningless comment 2017-09-08 18:26:49 -07:00
compat_audit.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
cordic.c
cpu_rmap.c
cpumask.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
crc4.c lib: Add crc4 module 2017-06-09 11:52:07 +02:00
crc7.c
crc8.c
crc16.c
crc32.c lib: add module support to crc32 tests 2017-02-24 17:46:57 -08:00
crc32defs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
crc32test.c lib: add module support to crc32 tests 2017-02-24 17:46:57 -08:00
crc-ccitt.c
crc-itu-t.c
crc-t10dif.c
ctype.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
debug_info.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
debug_locks.c
debugobjects.c debugobjects: Make kmemleak ignore debug objects 2017-08-14 16:51:01 +02:00
dec_and_lock.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
decompress_bunzip2.c lib/decompressors: use real out buf size for gunzip with kernel 2015-09-10 13:29:01 -07:00
decompress_inflate.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
decompress_unlz4.c lib/decompress_unlz4: change module to work with new LZ4 module version 2017-02-24 17:46:57 -08:00
decompress_unlzma.c lib/decompress_unlzma: Do a NULL check for pointer 2015-09-10 13:29:01 -07:00
decompress_unlzo.c lib/decompressors: use real out buf size for gunzip with kernel 2015-09-10 13:29:01 -07:00
decompress_unxz.c lib/decompressors: use real out buf size for gunzip with kernel 2015-09-10 13:29:01 -07:00
decompress.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
devres.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
digsig.c lib/digsig: fix dereference of NULL user_key_payload 2017-10-12 17:16:40 +01:00
div64.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dma-debug.c dmaengine updates for 4.12-rc1 2017-05-09 15:40:28 -07:00
dma-noop.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dma-virt.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dump_stack.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
dynamic_debug.c dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 2017-12-14 09:53:08 +01:00
dynamic_queue_limits.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
earlycpio.c lib/cpio: Make find_cpio_data()'s offset arg optional 2016-06-08 11:04:19 +02:00
errseq.c errseq: Always report a writeback error once 2018-05-09 09:51:54 +02:00
extable.c lib/extable.c: use bsearch() library function in search_extable() 2017-07-10 16:32:35 -07:00
fault-inject.c fault-inject: fix wrong should_fail() decision in task context 2017-08-10 15:54:06 -07:00
fdt_empty_tree.c
fdt_ro.c
fdt_rw.c
fdt_strerror.c
fdt_sw.c
fdt_wip.c
fdt.c
find_bit.c lib/find_bit.c: micro-optimise find_next_*_bit 2017-02-24 17:46:57 -08:00
flex_array.c
flex_proportions.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
gcd.c lib/GCD.c: use binary GCD algorithm instead of Euclidean 2016-05-20 17:58:30 -07:00
gen_crc32table.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
genalloc.c lib/genalloc.c: make the avail variable an atomic_long_t 2017-12-14 09:53:08 +01:00
glob.c lib: add module support to glob tests 2017-02-24 17:46:57 -08:00
globtest.c lib: add module support to glob tests 2017-02-24 17:46:57 -08:00
hexdump.c lib/hexdump.c: return -EINVAL in case of error in hex2bin() 2017-09-08 18:26:49 -07:00
hweight.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
idr.c lib/idr.c: fix comment for idr_replace() 2017-10-03 17:54:25 -07:00
inflate.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
int_sqrt.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
interval_tree_test.c lib/interval_tree: fast overlap detection 2017-09-08 18:26:49 -07:00
interval_tree.c
iomap_copy.c lib/iomap_copy.c: add __ioread32_copy() 2016-01-20 17:09:18 -08:00
iomap.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
iommu-common.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
iommu-helper.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ioremap.c mm/vmalloc: add interfaces to free unmapped page table 2018-03-28 18:24:38 +02:00
iov_iter.c iov_iter: fix page_copy_sane for compound pages 2017-09-20 23:27:48 -04:00
irq_poll.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
irq_regs.c
is_single_threaded.c sched/headers: Prepare to move 'init_task' and 'init_thread_union' from <linux/sched.h> to <linux/sched/task.h> 2017-03-02 08:42:38 +01:00
jedec_ddr_data.c
kasprintf.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
Kconfig Merge branch 'zstd-minimal' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs 2017-09-14 17:30:49 -07:00
Kconfig.debug kmemcheck: rip it out 2018-02-22 15:42:24 +01:00
Kconfig.kasan kasan: rework Kconfig settings 2018-02-16 20:23:04 +01:00
Kconfig.kgdb lib: update location of kgdb documentation 2017-05-16 08:44:22 -03:00
Kconfig.ubsan Kconfig: lib/Kconfig.ubsan fix reference to ubsan documentation 2016-12-14 16:04:08 -08:00
kfifo.c
klist.c klist: fix starting point removed bug in klist iterators 2016-02-07 22:18:47 -08:00
kobject_uevent.c driver core: suppress sending MODALIAS in UNBIND uevents 2017-09-18 16:48:33 +02:00
kobject.c kobject: don't use WARN for registration failures 2018-05-01 12:58:19 -07:00
kstrtox.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
kstrtox.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
lcm.c
libcrc32c.c crypto: Work around deallocated stack frame reference gcc bug on sparc. 2017-06-08 17:36:03 +08:00
list_debug.c bug: switch data corruption check to __must_check 2017-02-24 17:46:56 -08:00
list_sort.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
llist.c lib/llist.c: fix data race in llist_del_first 2015-11-06 17:50:42 -08:00
locking-selftest-hardirq.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
locking-selftest-mutex.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
locking-selftest-rlock-hardirq.h
locking-selftest-rlock-softirq.h
locking-selftest-rlock.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
locking-selftest-rsem.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
locking-selftest-rtmutex.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
locking-selftest-softirq.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
locking-selftest-spin-hardirq.h
locking-selftest-spin-softirq.h
locking-selftest-spin.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
locking-selftest-wlock-hardirq.h
locking-selftest-wlock-softirq.h
locking-selftest-wlock.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
locking-selftest-wsem.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
locking-selftest.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
lockref.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
lru_cache.c lru_cache: Converted lc_seq_printf_status to return void 2015-11-25 09:22:02 -07:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
memory-notifier-error-inject.c
memweight.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
net_utils.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
netdev-notifier-error-inject.c net: Add support for CHANGEUPPER notifier error injection 2015-12-03 11:49:23 -05:00
nlattr.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nmi_backtrace.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nodemask.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
notifier-error-inject.c
notifier-error-inject.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
of-reconfig-notifier-error-inject.c
oid_registry.c 509: fix printing uninitialized stack memory when OID is empty 2018-02-25 11:08:01 +01:00
once.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
parman.c lib: Introduce priority array area manager 2017-02-03 16:35:42 -05:00
parser.c parser: add u64 number parser 2016-12-06 10:17:03 +02:00
pci_iomap.c
percpu_counter.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
percpu_ida.c sched/headers: Prepare to remove the <linux/gfp.h> include from <linux/sched.h> 2017-03-02 08:42:34 +01:00
percpu_test.c
percpu-refcount.c percpu-refcount: support synchronous switch to atomic mode. 2017-03-22 19:18:43 -07:00
plist.c sched/headers: Prepare for new header dependencies before moving code to <linux/sched/clock.h> 2017-03-02 08:42:27 +01:00
pm-notifier-error-inject.c
prime_numbers.c lib/prime_numbers: Suppress warn on kmalloc failure 2017-01-23 09:17:12 +01:00
radix-tree.c idr: fix invalid ptr dereference on item delete 2018-05-30 07:51:49 +02:00
random32.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ratelimit.c lib/ratelimit.c: use deferred printk() version 2017-10-03 17:54:26 -07:00
rational.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
rbtree_test.c lib/rbtree_test.c: support rb_root_cached 2017-09-08 18:26:48 -07:00
rbtree.c rbtree: add some additional comments for rebalancing cases 2017-09-08 18:26:48 -07:00
reciprocal_div.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
refcount.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
rhashtable.c rhashtable: Fix rhlist duplicates insertion 2018-03-31 18:10:40 +02:00
sbitmap.c sbitmap: add sbitmap_get_shallow() operation 2017-04-14 14:06:52 -06:00
scatterlist.c scatterlist: add sg_zero_buffer() helper 2017-06-15 14:30:14 +02:00
seq_buf.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sg_pool.c lib: scatterlist: move SG pool code from SCSI driver to lib/sg_pool.c 2016-04-15 16:53:14 -04:00
sg_split.c
sha1.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
show_mem.c lib/show_mem.c: teach show_mem to work with the given nodemask 2017-02-22 16:41:30 -08:00
siphash.c siphash: implement HalfSipHash1-3 for hash tables 2017-01-09 13:58:57 -05:00
smp_processor_id.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
sort.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
stackdepot.c lib/stackdepot: export save/fetch stack for drivers 2016-11-11 08:12:37 -08:00
stmp_device.c
string_helpers.c mm: treewide: remove GFP_TEMPORARY allocation flag 2017-09-13 18:53:16 -07:00
string.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
strncpy_from_user.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
strnlen_user.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
swiotlb.c swiotlb: suppress warning when __GFP_NOWARN is set 2018-02-22 15:42:15 +01:00
syscall.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
test_bitmap.c lib/test_bitmap.c: fix bitmap optimisation tests to report errors correctly 2018-05-22 18:53:58 +02:00
test_bpf.c bpf: fix selftests/bpf test_kmod.sh failure when CONFIG_BPF_JIT_ALWAYS_ON=y 2018-04-26 11:02:16 +02:00
test_debug_virtual.c lib: add test module for CONFIG_DEBUG_VIRTUAL 2017-09-08 18:26:49 -07:00
test_firmware.c test_firmware: fix missing unlock on error in config_num_requests_store() 2018-02-03 17:39:24 +01:00
test_hash.c lib/test_hash.c: fix warning in preprocessor symbol evaluation 2016-09-01 17:52:01 -07:00
test_hexdump.c test_hexdump: print statistics at the end 2016-01-20 17:09:18 -08:00
test_kasan.c kasan: report only the first error by default 2017-03-31 17:13:30 -07:00
test_kmod.c test_kmod: flip INT checks to be consistent 2017-09-08 18:26:50 -07:00
test_list_sort.c lib: add module support to linked list sorting tests 2017-05-08 17:15:10 -07:00
test_module.c
test_parman.c lib: fix spelling mistake: "actualy" -> "actually" 2017-02-26 11:03:38 -05:00
test_printf.c mm, printk: introduce new format string for flags 2016-03-15 16:55:16 -07:00
test_rhashtable.c lib: test_rhashtable: Fix KASAN warning 2017-07-25 12:35:23 -07:00
test_siphash.c siphash: implement HalfSipHash1-3 for hash tables 2017-01-09 13:58:57 -05:00
test_sort.c Revert "lib/test_sort.c: make it explicitly non-modular" 2017-05-08 17:15:10 -07:00
test_static_key_base.c
test_static_keys.c locking/static_keys: Avoid nested functions 2016-02-09 10:27:29 +01:00
test_sysctl.c test_sysctl: test against int proc_dointvec() array support 2017-07-12 16:26:00 -07:00
test_user_copy.c lib: remove check for AVR32 arch in test_user_copy 2017-05-01 09:36:30 +02:00
test_uuid.c uuid: fix incorrect uuid_equal conversion in test_uuid_test 2017-07-21 09:38:30 +02:00
test-kstrtox.c
test-string_helpers.c lib/test-string_helpers.c: fix and improve string_get_size() tests 2016-02-03 08:28:43 -08:00
textsearch.c
timerqueue.c timerqueue: Use rb_entry_safe() instead of open-coding it 2017-01-20 08:03:42 +01:00
ts_bm.c
ts_fsm.c textsearch: fix typos in library helpers 2017-10-22 03:14:07 +01:00
ts_kmp.c textsearch: fix typos in library helpers 2017-10-22 03:14:07 +01:00
ubsan.c lib/ubsan: add type mismatch handler for new GCC/Clang 2018-02-16 20:23:09 +01:00
ubsan.h lib/ubsan: add type mismatch handler for new GCC/Clang 2018-02-16 20:23:09 +01:00
ucs2_string.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
usercopy.c Fix misannotated out-of-line _copy_to_user() 2018-03-19 08:42:56 +01:00
uuid.c uuid: hoist uuid_is_null() helper from libnvdimm 2017-06-05 16:59:05 +02:00
vsprintf.c DeviceTree for 4.13: 2017-07-07 10:37:54 -07:00
win_minmax.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xxhash.c lib: Add xxhash module 2017-08-15 09:02:07 -07:00